What he says is that chip manufacturers, such as Nvidia and others, are prioritizing the supply of chips to Artificial Intelligence Datacenters, at the expense of other supplies, such as computers, multifunction printers, and other devices.

According to him, it is expected that this situation will continue throughout 2026 and 2027, and that it will only normalize in 2028.

Which will, in every respect, be similar to what was experienced during the pandemic.

What happened during the pandemic?

During the Covid-19 pandemic, there were several delays. Some companies, due to a shortage of computers, had to provide computers with i3 processors to administrators - something that would normally be unthinkable, but had to be done, as the alternative was having no computers at all.

I recall that at ExpressGlass, it was during this phase that, for some time, we stopped purchasing from our usual suppliers and started getting computers from retail stores - basically anywhere we could find them - deviating from our usual and more professional models. This was how we resolved the situation. When stock was available, it was picked up immediately and the issue was resolved.

We felt the impact on computers, but the most concerning issue was with the toners for the Xerox multifunction printers.

Those were very worrying times because we still didn’t have electronic invoicing, so shipments from DiverAxial were required to go out with an invoice.

It was illegal for the carriers to make deliveries without the invoices, even if they had already been issued in the system. The carriers themselves wouldn’t even accept doing it. If they were stopped by the authorities and didn’t have the invoice, a fine would be imposed.

This put the entire operation and business of ExpressGlass at risk, since DiverAxial is its main supplier.

Therefore, at the time, it was necessary to source toners from various places. Coordinating all of this was not easy. We filed complaints and requested stock, but there simply wasn’t any. During this phase, the truth is that we faced significant risks.

Reality or speculation?

It is still being determined whether this will become a reality or if it is mere speculation. But the fact is that several delays are already occurring, particularly in the approval of prices and proposals.

The supplier even shared that they have already experienced a 70% increase, and since they have a supply contract, they are actually being heavily penalized.

Depending on the volume of incoming requests and their severity, chaos can quickly take over. From having no visibility into the number of requests hitting the incident response teams, to being unaware of the biggest problem hotspots, or even having technicians resolving non-urgent, low-impact issues while critical ones sit in the queue.

Follow these steps to make your day-to-day operations smoother.

Steps in Incident Management

There are three essential minimum steps for proper incident management.

Step 1: Log the Incident

The first step every technician must be instructed on is that an incident does not exist unless it is logged. For that, the ideal scenario is to have a ticketing platform that users are familiar with - everyone should receive training on it when it is implemented, and it should also be part of the onboarding training plan for new employees.

I won’t go into the topic of who should open the ticket, but in case you define it should be the user, be careful with agents who kindly open tickets on behalf of users - these cases are easy to notice in day-to-day operations, but the manager should regularly review the platform’s statistics to understand the scale of the problem. These “kind gestures” can undermine years of user education aimed at getting them to open tickets instead of approaching technicians directly.

If users have other communication channels to reach technicians and can initiate incident reporting that way, I still maintain that the incident must be logged - therefore someone has to create the ticket. In this case, it should be the technicians. The biggest challenge is getting technicians to create the ticket before starting the analysis and resolving the issue, so they don’t forget or get lazy to do it later.

In both scenarios, in less mature teams, it is common to see numerous issues solved without a ticket. This means that at the end of the day (or at the end of the month or year in accumulation), the statistics will not reflect the actual number of incidents that occurred, the real Mean Time to Resolve (MTTR), the number of incidents by category, nor the hours the team truly dedicated to this area.

Step 2: Categorize the Incident

Once logged, the incident must be categorized. Categorization helps assign the incident to the appropriate support team and also allows reporting to show which categories are becoming the most problematic.

Creating categories in a support tool is something that should be carefully considered and, like everything else, should evolve over time. What I mean by this is that it’s normal to have doubts about the structure you’re going to implement - whether it should have two levels (category and subcategory) or three (category, subcategory, and item), whether it should be specific enough to include modules within a particular application, or kept more generic.

There is no single “correct” way to implement categories. Each organization should think about what works best for them. However, based on my experience, the trend has been to simplify - meaning simplify both for users and for technicians. But only by analyzing the data can you properly assess whether this simplification limits management’s ability to understand where most problems are occurring, or where the most critical issues for the organization lie, and where time should be invested to address them.

Step 3: Prioritize the Incident

Once the incident is categorized, its priority must be defined among all the other unresolved tickets.

The priority of a ticket is determined by impact vs. urgency. This means there should be a scale for impact, another for urgency, and a matrix that clearly indicates the priority based on these two variables.

Personally, I like using the matrix provided by Freshservice (this is an affiliate link - if you sign up, I may earn a small commission at no additional cost to you):

On the X-axis we have urgency, and on the Y-axis we have impact. By classifying both, we obtain the priority that should be assigned to the ticket.

Of course, even after defining the priority, it may still match the priority of other incidents awaiting resolution. That’s where experience and business knowledge come into play.

Technicians with more years in the organization will intuitively know which tickets should take precedence - it will vary from case to case, but having alignment with leadership is ideal.

Less experienced technicians should rely on their colleagues or, ideally, their manager to understand which issues they should tackle first.

Conclusion

Incident Management only works when the fundamentals are in place: every incident must be logged, properly categorized, and prioritized based on impact and urgency. These practices may seem simple, but they form the backbone of an efficient and mature support organization.

By applying these three steps consistently, teams gain clearer visibility of their workload, reduce resolution times, improve communication with users, and build a reliable dataset to support better decision-making.

Improving Incident Management is a continuous journey - not a one-time project. Start with the basics, adapt the process to your organization, and refine it over time. Small improvements, applied consistently, lead to meaningful long-term results.

If you already follow these practices or have additional recommendations, feel free to share your experience in the comments.

Imagine being in the comfort of your home, having conversations with your partner, children, and other family members, while someone is remotely listening in through your devices.

It’s not a very pleasant situation, is it? I don’t think anyone would like that.

That’s why it’s important to take precautions to ensure that these types of situations don’t happen.

Typically, operating systems aim to protect their users from such attacks. However, the best protection always lies in combining software controls with hardware controls, meaning…

• Keeping the operating system and applications up to date;

• Regularly reviewing application permissions;

• Having an antivirus installed and kept up to date.

All of this helps protect against such threats, but it doesn’t guarantee that it won’t happen.

Therefore, the ideal solution is to use a microphone blocker, which will route the audio from your device to the blocker itself and receive audio back from it. In other words, your device will think a headset, for example, has been plugged in, so the device’s microphone is disabled, and the supposed microphone from the adapter is activated. However, this adapter does not have a built-in microphone, so it does not send any audio back to your device. This way, everything the other side hears, if someone is listening, is silence.

I recommend the microphone blockers from Mic-Lock. I personally use them on both my computer and smartphone, and they work very well.

You can test it by using a recording app to record an audio clip without the adapter and then with the adapter. When you listen to the recording later, you’ll notice that from the moment the adapter is inserted, no sound is recorded. The app continues recording, but there’s no audio input, which is exactly what we want.

United States of America

Since 2004, October has been recognized as Cybersecurity Awareness Month. This month was declared by the then President of the United States and Congress with the goal of having the public and private sectors work together to raise awareness about the importance of cybersecurity.

This initiative has gained importance over the years, with efforts between government and industry to reduce online risks and generate discussion about cyber threats on a national scale in the United States, as well as globally.

In 2023, the Cybersecurity & Infrastructure Security Agency (CISA) launched its awareness program called Secure Our World, which recognizes the importance of taking daily actions to reduce online risks and the risks of using connected devices. It also enables organizations to use this theme when preparing for Cybersecurity Awareness Month, that is, when preparing their own awareness campaigns.

Europe

On the European side, European Cybersecurity Month is the European Union (EU) campaign dedicated to promoting cybersecurity among European citizens and organizations, as well as providing updated information related to online security and sharing best practices.

Every year, throughout the entire month of October, hundreds of activities take place across Europe, including conferences, workshops, training sessions, webinars, presentations, and more, aimed at promoting digital security and cybersecurity hygiene.

This initiative is coordinated by the European Union Agency for Cybersecurity (ENISA) and the European Commission, and is supported by each Member State and hundreds of government partners, including universities, think tanks, Non-Governmental Organizations (NGOs), professional associations, and the private sector in Europe and beyond.

Since the first event in 2012, European Cybersecurity Month has been promoted under the slogan “Cybersecurity is a Shared Responsibility” and, in 2020, the motto “Think Before U Click!” was officially launched.

And the rest of the year?

Although October is considered Cybersecurity Awareness Month, we must not forget that cybersecurity is something we should be concerned about every other month. I would go further: daily, throughout the entire year.

These are government initiatives, both in the United States and Europe, aimed at creating a period, at least once a year, during which various initiatives are held to raise cybersecurity awareness. However, all individuals and businesses should be aware that it’s not just during this month that they should focus on and invest in cybersecurity, but throughout the entire year.

Attacks do not happen only in October, but throughout the entire year. Therefore, it is important that people progressively protect themselves more over the year and across the years, implementing more controls that ensure their networks, devices, and accounts are progressively more secure.

Companies, schools, and other organizations

This can be an opportunity for companies, schools, and other organizations to join this initiative and also use the month of October to promote cybersecurity. This doesn’t require a great effort, as much of the material already exists and there can simply be a sharing plan in place.

This doesn’t mean that throughout the rest of the year there isn’t a need to continue raising awareness on this topic, but the month of October can be used for greater dissemination by entities, taking advantage of all the support provided by governments and other organizations for online promotion. This also allows for sharing various best practices, information about attacks, and how to protect oneself.

How to learn more

Anyone interested in following this topic more closely and learning more can visit the following websites:

• Cybersecurity Awareness Month by CISA;

• Secure Our World;

• European Cybersecurity Month by ENISA;

• ECSM – European CyberSecurity Month.

In addition to these websites related to Cybersecurity Month, there is a vast array of other content you can follow, including forums, books, courses, newsletters like this one, among many others.

LinkedIn update to Terms and Data Use

Funny enough, just last weekend I was reviewing my LinkedIn settings (for no particular reason - I’ve been less active there lately and more on other platforms). To my surprise, I came across those options and immediately turned them off, wondering how I had missed this before. A few days later, I started seeing posts from others pointing out that LinkedIn was indeed updating its Terms and data use to reflect these changes.

👉 If you also want to opt out, go to:

Settings > Data Privacy > Data for Generic AI Improvement > Use my data for training content creation AI models (turn it off).

Referring to online accounts, imagine that somehow your credentials were compromised - that is, someone managed to discover them. If you don't have MFA enabled, the attacker will be able to access your account without any difficulty. However, with MFA active, after entering the username-password combination, the attacker will be confronted with a second authentication step using a different factor.

The goal is for only the user, the true account holder, to have access to the additional factor(s) required to access the system in question. This way, in a situation like this, the account will be protected, as it will be much harder for the attacker to bypass these other factors. However, bear in mind that harder does not mean impossible.

Authentication factors

There are three primary authentication factors. They are:

• Something you know, which can be a password, a passphrase, a PIN, the answer to security questions, etc.

• Something you have, which refers to physical devices in the user's possession that can help with authentication, such as a mobile phone, a smart card, a hardware token, a memory card, a USB drive, etc.

• Something you are, which refers to physical characteristics of a person, such as fingerprints, facial features, retina patterns, iris patterns, hand geometry, etc.

In addition to the three primary factors, attributes such as the following can be added:

• Where you are, based on a device, geographic location, a phone number, etc.

• Contextual authentication, where, for example, you can set working hours, not allowing access to the account outside of those hours. It can also include location and device type.

• Something you do, which can refer, for example, to gestures used on mobile devices to unlock them by connecting points (pattern), or image passwords, supported by Windows 10, where the user moves their fingers on the screen over an image.

Something you know

This factor is also known as knowledge-based authentication or type 1 authentication factor.

It means that the user provides something they know to authenticate themselves to a system.

In the case of passwords, they can be simple or complex, where:

• Incorrectly, people tend to use simple passwords, often related to personal information, because they are easier to remember. When this happens, passwords are easily guessed.

• When using complex passwords, people often end up writing them down somewhere, whether on post-it notes stuck to the monitor, in a notebook, or even in a text file on their computer’s desktop. In these cases, the password becomes visible to others, or even if it is not in plain sight, it can be found relatively easily.

The solution to these problems lies in Password Managers, which organize your credentials, store them securely, and, best of all, you only need to remember one password - the master password, which is used to log in to the Password Manager. This master password should be long (at least 14 characters) and, to make it easier, you can create a passphrase.

Passphrases are passwords based on phrases, making them easier to remember, and they address the complexity issue, especially when mixed with uppercase and lowercase letters, numbers, and special characters.

Regarding security questions, their security also increases if the user uses complex strings instead of the actual answer to the questions. The true answers are often so obvious to those who know the user even slightly (and with all the information shared on social media these days, this can be relatively easy), making them easy to compromise.

Something you have

This factor is also known as possession-based authentication or type 2 authentication factor.

Perhaps the most common method is One-Time Passwords (OTP), which, as the name suggests, are codes that can only be used once and expire if not used within a certain period of time. They can be generated via:

• Software (soft tokens), such as the popular Authenticator apps like Google Authenticator, Microsoft Authenticator, Cisco DUO, etc.

• Hardware (hard tokens), which are dedicated hardware devices, such as the RSA SecurID.

In addition to the type of device where they are generated, OTPs can be:

• Synchronous OTP, which is the most common and least complex. It can be time-based or counter-based. Time-based OTPs are generated every 30 or 60 seconds, while counter-based OTPs increment a number with each use.

• Asynchronous OTP, which, although less common and more complex, provides a more robust layer of security.

Smart cards, on the other hand, are so named because they contain an embedded integrated circuit that can perform calculations and generate unique authentication data for each transaction. They can be:

• Contact Smart Cards, where the chip on the card needs to make contact with the reader to receive power and allow the transaction to be completed.

• Contactless Smart Cards, where the reader sends signals that are strong enough to power the chips and communicate with them, allowing the card to perform the necessary calculations and respond to the reader.

Memory cards contain a type of memory that is embedded in a magnetic strip, usually on the back of the card, from which the same data is read during each transaction.

Something you are

Also known as biometric authentication or type 3 authentication factor.

It is divided into:

• Physiological characteristics, which can include fingerprints, hand geometry, facial features, eye characteristics (such as iris and retina), etc.

• Behavioral characteristics, which can include how a person writes, walks, speaks, presses the keys on a keyboard, etc.

Where you are

Location can be obtained based on the IP address or through geolocation.

This type of system can prevent access by users who are not in the location where they typically connect - where you are not. In fact, a basic rule is that a user should not be able to log in to their account outside of their workplace, or, if they wish to do so, they must request permission. Although this control can be easily bypassed using a VPN, it still serves as a protection that makes sense.

Single-Factor Authentication and Two-Factor Authentication

There is some confusion regarding what is considered the use of authentication factors.

For example, if a system uses more than one type of authentication, but all are from the same factor, it is not Multi-Factor Authentication, but rather Single-Factor Authentication. Examples where, despite using different types of authentication, Multi-Factor Authentication does not occur:

• The use of username/password and the answer to security questions - both mechanisms belong to the something you know factor.

• The use of a token generated by Google Authenticator and another generated by RSA SecurID - both mechanisms belong to the something you have factor.

• The use of a fingerprint reader and a retina reader - both mechanisms belong to the something you are factor.

The combination of two factors, such as something you know and something you have, can be called Two-Factor Authentication.

The difference between Two-Factor Authentication and Multi-Factor Authentication is that the former refers to the use of two factors, while the latter refers to the use of two or more factors.

It is important to note that using different types of authentication from the same factor typically does not add security, as the same type of attack can compromise them. In other words, using a password and a PIN does not guarantee that you are more secure than if you only used a password, as the same attacks that can be performed to discover the password can also discover the PIN. In contrast, when using different factors, such as a password and an OTP from a hard token, it would be necessary to both discover the password and physically steal the hard token in order to successfully access the account.

Weak and Strong Multi-Factor Authentication

Although Multi-Factor Authentication (MFA) is a recommended configuration, it does not guarantee by itself that your accounts are secure. For example, SMS-based Multi-Factor Authentication is considered weak due to an attack known as SIM Swap, in which criminals gain control of the victim's phone number, thus gaining access to the code sent to it, enabling them to log into the victim's accounts.

However, even when using strong authentication factors, there are some considerations to keep in mind:

• When using an Authenticator that sends notifications for the user to approve access, if the user is distracted or unaware of what they are doing, they may accidentally approve access for a third party without realizing what is actually happening.

• When using an Authenticator that sends notifications, generates codes, or asks for a code provided on the website, although these methods are considered secure, the user can be deceived if they access a fake website that closely resembles the real one. In such cases, the data the user enters - such as their username and password - will be sent to the real site, followed by the OTP, allowing the attacker to gain unauthorized access.

To address this, you could consider using passkeys or even security keys (physical security keys), as these devices must be physically connected to the device from which the login is being made, or brought near (via NFC), in order for access to be granted. This adds an additional layer of security by ensuring that the attacker cannot gain access without having the physical key or device.

Does the second authentication factor always have to be requested?

No, not always. For example, some services only ask for it the first time you use a particular device. After that, the device is authorized to access your account and is recognized as trusted, and by itself, functions as a factor. The second factor will only be requested when you access from a device that the service does not recognize.

There are also services that allow you to store the data for a certain period of time, not requesting the second authentication factor until that period expires.

What if I lose the MFA method?

You should always keep in mind alternatives to the MFA method you set up. For example, some services provide backup codes that can be used in case you lose access to the configured method. Make sure to note those codes down carefully. If you are using a security key as an authentication factor, like a Yubikey, it is a good practice to have a second security key in case you lose the first one. You might even consider storing the second key in a different physical location than the first.

A word about FIDO2

I can't finish this article without mentioning Fast IDentity Online 2 (FIDO2), although in a very brief way. FIDO2 is an open protocol for user authentication that uses passkeys, which are credentials created through public key cryptography, with a private key and a public key being created. The private key is securely stored on the user's device, and the public key is encrypted and sent to the service's server.

The key pair is used to authenticate the user directly on their device, whether it’s a computer, tablet, mobile phone, or security key. Whenever the user logs in, the service presents a unique challenge to the client. The device is activated via touch, fingerprint or face recognition, or PIN entry, allowing the request to be signed and returned. This makes the process cryptographically protected against phishing.

Since a different key pair is generated for each web application or website, they also have the advantage of enhancing user privacy by making it harder to link activity across services.

FIDO2 also implements the concept of Passwordless, which means that no passwords are used to log in. This makes access not only more convenient but also more secure, as the vulnerabilities associated with passwords are well known.

The first version, which introduced phishing-resistant Multifactor Authentication, was released in 2014, and the second, released in 2018, defined the standard for passwordless authentication.

Conclusion

In conclusion, despite all the information in this article, the main takeaway is the importance of enabling Multifactor Authentication on all your accounts that support it - this is usually something that can be done in your account settings.

Not all services use strong MFA, but even so, having MFA enabled - even if weak - is better than having none.

Conduct an audit of your accounts now to enable MFA on those where it’s not yet activated. It’s true that it will take some time, but in the end, you’ll feel more at ease about the security of your accounts and the information they contain.

Thinking that it only happens to others is not a good security strategy. It’s also important to keep in mind that there are various ways credentials can be compromised, whether through attacks targeting the user directly or the service where their credentials are stored. And we don’t always know how these services handle our data - in other words, there have been numerous leaks showing that some services still don’t follow best practices for storing their users’ credentials!

I don’t know if this is the case for everyone, but I type faster on a physical keyboard than on a virtual one like those on mobile devices. So, for longer texts or extended conversations, using a physical keyboard can be quite useful.

The same goes for the mouse, which can be used in various applications, including games.

For this to be possible, you may need a USB-A to USB-C adapter.

To further improve the experience, you can place the device on a dedicated stand in front of you, either horizontally or vertically, so the screen faces you without having to hold it in your hand or lay it flat on the table.

In addition to mobile devices, they can also be connected to your TV box. This makes its use much easier, since, for example, searching on YouTube with the box’s remote is… time-consuming!

Did you already know about this? Have you ever connected a keyboard and/or mouse to mobile devices or TV boxes? What was the purpose? Share your experience in the comments.

See you soon,

Nelson Lopes

On this day, Microsoft rolls out critical patches (including zero-days), security updates, cumulative updates, bug fixes, and performance/stability improvements.

In enterprise environments, don’t forget to manage updates carefully: test them on staging machines first, and only then roll them out to the rest of the organization. In fact, I recommend using a three-ring approach:

• Ring 0 – First machines and users to receive updates;

• Ring 1 – Key machines/users representing different departments;

• Ring 2 – The rest of the organization.

This can be managed using solutions like Intune, WSUS, SCCM, or other remote management platforms (RMMs).

That said, patches that fix zero-days - vulnerabilities for which no official fix existed and that may already be exploited - should be applied as early as possible, regardless of which ring the device belongs to.

Also, keep in mind: if the second Tuesday of the month is a public holiday, it’s likely that many computers were off and didn’t receive the update - meaning the real slowdown will happen on Wednesday. Just saying… it has happened before. :)

Talk soon,

Nelson

Nowadays, we increasingly have less need to carry a physical wallet. For example, in Portugal, the gov.id app (iOS, Android) already allows users to legally present their citizen card, driver’s license, vehicle registration certificate, car insurance, among other documents, meaning there’s no longer a need to carry them physically.

NFC technology, used in banking apps, has long allowed for contactless payments without physical cards. For instance, also in Portugal, the MBWay app enables payments not only via NFC but also through QR code scanning, which greatly simplifies the payment process and reduces - or even eliminates - the need to carry physical bank cards.

Still, most people continue to carry their physical ID and bank cards - either because they’re not comfortable with the technology (they don’t know how it works or are afraid of making mistakes), don’t trust it yet, haven’t taken the time to test it, or simply don’t want to. A friend of mine once said he didn’t use MBWay because it drains his smartphone battery 😮

That said, it’s important to be aware that contactless cards don’t need to be inserted into a payment terminal to complete a transaction - just bringing them close is enough. This also means that a malicious person could approach your pocket or wallet with a payment device in a crowded street or public place and charge you without your consent.

PIN entry is only required for payments above a certain amount, so any charge below that limit will go through without issue.

The same risk exists if you keep NFC enabled on your smartphone and your banking apps are configured for payments. You should always disable NFC when you’re not using it.

Additionally, it’s important to know that access cards to private buildings can be cloned very easily using tools that are freely available online - like the Flipper Zero. Once a card is scanned, its data can be stored on the Flipper Zero and:

• Replayed by holding the Flipper Zero close to an access reader, unlocking a door, safe, garage, etc. that was originally restricted to the access card;

• Or cloned onto a blank smart card, creating a duplicate of the original (which is much less suspicious than carrying around a Flipper Zero).

Because of this, I strongly recommend using RFID-blocking wallets so that all cards inside are secure from these types of attacks. These wallets are available both online and in physical stores.

Don’t forget to test your wallet to make sure the RFID-blocking actually works. To do this, try making a payment while your bank card is inside the wallet. If all goes well, nothing will happen - you’ll need to remove the card in order to complete the transaction.

If you don’t have one of these wallets yet, don’t wait. Get yours today!

Thanks, and see you soon,
Nelson

Welcome to my Substack.

In this first post, I’d like to welcome you and share a bit about what you can expect to find here.

As a computer enthusiast and Director of Information Systems, my daily work revolves around technology. Beyond managing teams and departments, I’m involved in various areas such as networks, cloud, systems administration, software engineering, ERP, RPA, VoIP, cybersecurity, and more.

Outside of work, I enjoy spending time with my family, reading, running, going to the beach, and - of course - exploring technology for personal curiosity.

I hold several certifications, including CISSP, ITIL, PMP, and C|EH. I’m also a member of the Portuguese Order of Engineers, PMI, PMI Portugal, among others.

I live in Porto, Portugal, and I’m the proud father of a little girl - and of Biscoito (Cookie), our family cat.

On this Substack, I’ll be sharing some of my experience, with a special focus on tech updates, cybersecurity, service management (ITSM), project management, productivity, and related topics.

If you want to know more about me, you can visit this page.

Thanks for reading,
Nelson